topic Re: Firepower cluster dc-dr in Network Security

Firepower cluster dc-dr

ashleybabajee — Thu, 07 Apr 2022 17:14:15 GMT

Hi Guys,

I have a firepower cluster, 2 on DC and 2 on DR connected through a nexus switch ( dark fiber) , i am getting mac flapping on the nexus , the Site ID on the chassis is both different.

Can anyone advise please

Re: Firepower cluster dc-dr

Marvin Rhoads — Thu, 07 Apr 2022 17:58:45 GMT

Can you share a diagram of your setup?

Are the Nexus' in a VPC configuration?

Re: Firepower cluster dc-dr

ashleybabajee — Fri, 08 Apr 2022 05:35:20 GMT

Hi @Marvin Rhoads

Yes they are in a vpc configuration

Re: Firepower cluster dc-dr

ashleybabajee — Wed, 13 Apr 2022 11:10:30 GMT

Hi @Marvin Rhoads , any idea ?, i have already uploaded the diagram, grateful to advise.

Re: Firepower cluster dc-dr

Marvin Rhoads — Wed, 13 Apr 2022 17:36:02 GMT

Are all four firewalls in a single cluster?

Are there vPCs between the Nexus switches?

Re: Firepower cluster dc-dr

ashleybabajee — Thu, 14 Apr 2022 06:49:49 GMT

Hi @Marvin Rhoads ,

Yes, all the firewall are in the same cluster, and yes there's vPV between the Nexus.

Re: Firepower cluster dc-dr

Marvin Rhoads — Sun, 17 Apr 2022 12:02:40 GMT

If I understand it correctly you are using what Cisco calls "Split Spanned Etherchannel Cluster". They mention in Cisco Live presentation BRKSEC-3032 that filtering is required is such a use case to avoid MAC/IP conflicts.

Re: Firepower cluster dc-dr

ashleybabajee — Mon, 18 Apr 2022 12:18:23 GMT

I have applied mac acl on the HO nexus , but still same issue , there's a port-channel/vPC between the HO and DR Nexus, when one link is up it works fine, however when both links are up, we get the mac flap issues.

Re: Firepower cluster dc-dr

Marvin Rhoads — Mon, 18 Apr 2022 12:31:12 GMT

That's odd. I'd suggest opening a TAC case so that the engineer can work with you in real time to trace the root cause.

Re: Firepower cluster dc-dr

kimier1983 — Tue, 11 Jun 2024 17:41:08 GMT

I think I had the same problem trying to deploy the exact scenario (four clustered FPR 4100 and 2 DCs). Cluster was extended between DCs, having the control role on one DC and setting a different site-ID on every DC, that is FPRs on DC had site-ID 1 and and FPRs on the other DC had site-ID 2. Having just one DC active everything was working fine, although several MAC flapping messages are showing on the Nexus switches, from the connectivity standpoint nothing happens, however the when the second DC was added to the equation everything was impacted and degraded,

I´ve been testing in a reduced scenario setting a different site-ID (1 to 4) on every FPR, regardless the DC location and it looks like the flapping messages has gone, so I guess it´s not necessary to filter the MAC movement messages, since they´re not showing anymore

Would you mind to share what solution was offered by the TAC? I´ve engaged them to help on this matter but so so far no luck...

Thank you very much

Regards

Iván